It’s that time of year again— the holiday season is approaching, and unfortunately, so are holiday scams. Last year, The FBI Internet Crime Complaint Center (IC3) reported that nearly 12,000 victims fell prey to holiday scams, which resulted in losses exceeding $73 million.
In this blog post, we will explore some common themes and phishing tactics that are used to target people during this festive season to help you and your employees stay protected from cybercrime as the year draws to a close.
4 AI-enhanced holiday scams
AI-driven threats are much like the threats that we see every holiday season. The main difference is that they’re more sophisticated and difficult to spot. Keep your eye out for these four popular scams.
1: Shopping scams
While it's tempting to jump on time-sensitive deals and special discounts, this eagerness can be a weakness for cybercriminals to exploit. One way they do this is by directing victims to phishing websites that offer luxury goods, electronics or popular clothing brands at suspiciously low prices. In recent years, threat researchers have seen cybercriminals register thousands of imposter domains for well-known global brands and then use them for large-scale phishing campaigns.
With the advent of generative AI (GenAI), creating convincing fake online retail stores has become easier and faster than ever. Before, it might have taken hours to generate tools that facilitated fraud. With GenAI, it now takes seconds. These fake sites feature stolen logos, lookalike domains, and sophisticated designs that closely mimic legitimate retailers.
Victims who submit a payment on these fake retail sites either receive counterfeit items or nothing at all. What’s worse is that they unknowingly hand over their personal information, including credit card numbers, to cybercriminals.
Amazon shopping scam phishing template from Proofpoint’s ZenGuide, which is based on a real-world attack that we observed.
2: Shipping scams
Just as lightning deals create urgency, shipping updates are another type of notification that people rarely ignore. When there's a perceived problem with a shipment, most people act immediately.
Scammers excel at exploiting human psychology. And this is particularly true when it comes to manipulating people through fear. They commonly use email or SMS to impersonate trusted shipping companies like UPS, FedEx, DHL or USPS. These scams typically involve delivery failures, incomplete delivery information, missing packages or packages that are allegedly held for payment.
Recently, attackers have evolved their tactics to include QR codes as phishing tools. Rather than embedding malicious URLs directly, they include QR codes that victims are prompted to scan. This emerging technique, known as QR-code phishing or quishing, has gained traction partly due to the widespread adoption of QR codes during the COVID-19 pandemic.
DHL shipping scam phishing template from Proofpoint’s ZenGuide™, which is based on a real-world attack that we observed.
3: Travel scams
During the holiday season, many people search for affordable flights and hotel deals. Cybercriminals take advantage of this by creating fake travel booking sites that feature irresistibly low prices.
In one common scenario, scammers create websites that spoof well-known online travel agencies. On these sites, victims are offered seemingly incredible package deals. If they fall for these schemes, they will typically end up paying more than the advertised price, or they receive invalid reservations with no possibility of a refund.
Expedia travel scam phishing template from Proofpoint’s ZenGuide, which is based on a real-world attack that we observed.
With the rise of AI, these scams have only grown more sophisticated. Attackers now use GenAI to create convincing phishing lures in multiple languages. While it used to be easy to spot fraudulent emails due to their poor grammar and spelling errors, this is no longer the case. Cybercriminals can now easily overcome language and cultural barriers.
Consider a scenario where a bad actor, who doesn't speak German, wants to run a travel scam that targets German speakers. AI tools make it possible to generate grammatically accurate, credible-looking emails that impersonate any major German airline. These messages include key elements—like logos, high-quality images and grammatically accurate language—that make them appear legitimate.
Travel scam phishing template from Proofpoint’s ZenGuide, which was AI-generated.
4: Charity scams
Perhaps one of the most ethically concerning schemes is charity fraud. Scammers know that people are typically more generous during the holiday season, so they tap into their generosity to take advantage of them. Not only do they steal money, but they also steal personal information for identity theft.
One way they do this is by establishing fake organizations to exploit the public’s goodwill. Multiple government entities, including the IRS and FTC, have issued warnings to be wary of organizations that refuse to provide detailed information about themselves. Another red flag is when there’s pressure to make an immediate donation. Remember: Legitimate charities welcome donations at any time, and they are transparent about their operations.
One common scenario is fraudulent toy donation campaigns. At first, victims are asked to provide personal information. Then, they are pressured to share their credit card details or make wire transfers to fraudulent accounts.
Charity scam phishing templates from Proofpoint’s ZenGuide, which are based on real-world attacks that we observed.
Tips to stay safe this holiday season
GenAI reduces the entry barrier for cybercriminals and enhances the sophistication and scalability of their phishing scams. However, AI-driven threats have not introduced any capabilities that weren’t already present in the threat landscape. Therefore, the general guidelines for staying safe remain the same.
Here are some tips for avoiding scams this holiday season. Share them with your employees and coworkers to help them identify and avoid AI-enhanced holiday scams:
- Be careful of offers or deals that seem too good to be true
- Access retailers’ official websites directly; don’t click on embedded links
- Beware of any message that demands immediate action
- Verify sender identities through alternative channels
- Always hover over email addresses to reveal the sender’s full information—and catch any display name spoofing
- Focus on the message's intent rather than grammar or spelling; these traditional red flags are now a lot less reliable
- Enable two-factor authentication whenever possible
Your free holiday stocking stuffer
Here’s a security gift from Proofpoint: The ZenGuide™ Holiday Security Kit is a complimentary resource to brighten your season. It provides four weeks of suggested content to support your security awareness efforts:
- Week 1: Learn the basics of shopping safely
- Week 2: Understand phishing messages that tap into travel scenarios
- Week 3: Identify scams that ask for a helping hand
- Week 4: Wrap up the campaign with an ad-libs word game